Bug 139592

Summary: SVG masking can cause loadPendingResources() re-entrancy
Product: WebKit Reporter: Simon Fraser (smfr) <simon.fraser>
Component: CSSAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: mihnea, simon.fraser, stavila
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 139644    
Bug Blocks: 139294    

Description Simon Fraser (smfr) 2014-12-12 12:22:07 PST 
While running tests, I just saw css3/masking/mask-svg-script-mask-to-entire-svg.html cause a crash which indicates bad behavior:

Application Specific Information:
CRASHING TEST: css3/masking/mask-svg-script-mask-to-entire-svg.html

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x0000000116070a2a WTFCrash + 42
1   com.apple.WebCore             	0x00000001192c13d9 WebCore::StyleResolver::loadPendingResources() + 153 (StyleResolver.cpp:3759)
2   com.apple.WebCore             	0x00000001192bb0a2 WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const*, WebCore::StyleResolver::ShouldUseMatchedPropertiesCache) + 1906 (StyleResolver.cpp:1827)
3   com.apple.WebCore             	0x00000001192b8ca3 WebCore::StyleResolver::styleForElement(WebCore::Element*, WebCore::RenderStyle*, WebCore::StyleSharingBehavior, WebCore::RuleMatchingBehavior, WebCore::RenderRegion const*) + 1251 (StyleResolver.cpp:803)
4   com.apple.WebCore             	0x00000001193739f6 WebCore::SVGElement::customStyleForRenderer(WebCore::RenderStyle&) + 150 (SVGElement.cpp:790)
5   com.apple.WebCore             	0x00000001192e796a WebCore::Style::styleForElement(WebCore::Element&, WebCore::RenderStyle&) + 106 (StyleResolveTree.cpp:259)
6   com.apple.WebCore             	0x00000001192e59f2 WebCore::Style::resolveLocal(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 146 (StyleResolveTree.cpp:749)
7   com.apple.WebCore             	0x00000001192e342d WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 301 (StyleResolveTree.cpp:918)
8   com.apple.WebCore             	0x00000001192e368b WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 907 (StyleResolveTree.cpp:957)
9   com.apple.WebCore             	0x00000001192e368b WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 907 (StyleResolveTree.cpp:957)
10  com.apple.WebCore             	0x00000001192e368b WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 907 (StyleResolveTree.cpp:957)
11  com.apple.WebCore             	0x00000001192e32ea WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) + 474 (StyleResolveTree.cpp:996)
12  com.apple.WebCore             	0x0000000117b72996 WebCore::Document::recalcStyle(WebCore::Style::Change) + 470 (Document.cpp:1798)
13  com.apple.WebCore             	0x0000000117b6eadf WebCore::Document::updateStyleIfNeeded() + 431 (Document.cpp:1841)
14  com.apple.WebCore             	0x0000000117ecb6a2 WebCore::FrameLoader::stopLoading(WebCore::UnloadEventPolicy) + 1218 (FrameLoader.cpp:473)
15  com.apple.WebCore             	0x0000000117ecbbef WebCore::FrameLoader::closeURL() + 111 (FrameLoader.cpp:547)
16  com.apple.WebCore             	0x0000000117ed5d75 WebCore::FrameLoader::detachFromParent() + 53 (FrameLoader.cpp:2486)
17  com.apple.WebCore             	0x0000000117ed61fb WebCore::FrameLoader::frameDetached() + 59 (FrameLoader.cpp:2479)
18  com.apple.WebCore             	0x00000001193d33b1 WebCore::SVGImage::~SVGImage() + 561 (SVGImage.cpp:60)
19  com.apple.WebCore             	0x00000001193d3795 WebCore::SVGImage::~SVGImage() + 21 (SVGImage.cpp:65)
20  com.apple.WebCore             	0x00000001193d37b9 WebCore::SVGImage::~SVGImage() + 25 (SVGImage.cpp:56)
21  com.apple.WebCore             	0x00000001177c4113 WTF::RefCounted<WebCore::Image>::deref() + 83 (RefCounted.h:146)
22  com.apple.WebCore             	0x00000001177c40b1 void WTF::derefIfNotNull<WebCore::Image>(WebCore::Image*) + 65 (PassRefPtr.h:41)
23  com.apple.WebCore             	0x00000001177fcf67 WTF::RefPtr<WebCore::Image>::clear() + 39 (RefPtr.h:110)
24  com.apple.WebCore             	0x00000001177f8c77 WebCore::CachedImage::clearImage() + 103 (CachedImage.cpp:365)
25  com.apple.WebCore             	0x00000001177f668d WebCore::CachedImage::~CachedImage() + 61 (CachedImage.cpp:108)
26  com.apple.WebCore             	0x00000001177f67b5 WebCore::CachedImage::~CachedImage() + 21 (CachedImage.cpp:108)
27  com.apple.WebCore             	0x00000001177f6809 WebCore::CachedImage::~CachedImage() + 25 (CachedImage.cpp:106)
28  com.apple.WebCore             	0x000000011780423e WebCore::CachedResource::deleteIfPossible() + 94 (CachedResource.cpp:487)
29  com.apple.WebCore             	0x0000000117804f4e WebCore::CachedResource::unregisterHandle(WebCore::CachedResourceHandleBase*) + 174 (CachedResource.cpp:666)
30  com.apple.WebCore             	0x000000011781098a WebCore::CachedResourceHandleBase::setResource(WebCore::CachedResource*) + 74 (CachedResourceHandle.cpp:64)
31  com.apple.WebCore             	0x0000000117815ce7 WebCore::CachedResourceHandle<WebCore::CachedResource>::operator=(WebCore::CachedResourceHandle<WebCore::CachedResource> const&) + 55 (CachedResourceHandle.h:73)
32  com.apple.WebCore             	0x0000000117811e07 WebCore::CachedResourceLoader::requestResource(WebCore::CachedResource::Type, WebCore::CachedResourceRequest&) + 1287 (CachedResourceLoader.cpp:478)
33  com.apple.WebCore             	0x0000000117812820 WebCore::CachedResourceLoader::requestSVGDocument(WebCore::CachedResourceRequest&) + 64 (CachedResourceLoader.cpp:246)
34  com.apple.WebCore             	0x0000000117822035 WebCore::CachedSVGDocumentReference::load(WebCore::CachedResourceLoader*) + 309 (CachedSVGDocumentReference.cpp:64)
35  com.apple.WebCore             	0x00000001192c70ff WebCore::StyleResolver::loadPendingSVGDocuments() + 527 (StyleResolver.cpp:3403)
36  com.apple.WebCore             	0x00000001192c13f7 WebCore::StyleResolver::loadPendingResources() + 183 (StyleResolver.cpp:3770)
37  com.apple.WebCore             	0x00000001192bb0a2 WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const*, WebCore::StyleResolver::ShouldUseMatchedPropertiesCache) + 1906 (StyleResolver.cpp:1827)
38  com.apple.WebCore             	0x00000001192b8ca3 WebCore::StyleResolver::styleForElement(WebCore::Element*, WebCore::RenderStyle*, WebCore::StyleSharingBehavior, WebCore::RuleMatchingBehavior, WebCore::RenderRegion const*) + 1251 (StyleResolver.cpp:803)
39  com.apple.WebCore             	0x00000001192e7a32 WebCore::Style::styleForElement(WebCore::Element&, WebCore::RenderStyle&) + 306 (StyleResolveTree.cpp:263)
40  com.apple.WebCore             	0x00000001192e6bb0 WebCore::Style::createRendererIfNeeded(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 208 (StyleResolveTree.cpp:288)
41  com.apple.WebCore             	0x00000001192e6777 WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 263 (StyleResolveTree.cpp:615)
42  com.apple.WebCore             	0x00000001192e717b WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 347 (StyleResolveTree.cpp:484)
43  com.apple.WebCore             	0x00000001192e6849 WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 473 (StyleResolveTree.cpp:631)
44  com.apple.WebCore             	0x00000001192e717b WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 347 (StyleResolveTree.cpp:484)
45  com.apple.WebCore             	0x00000001192e6849 WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 473 (StyleResolveTree.cpp:631)
46  com.apple.WebCore             	0x00000001192e5af0 WebCore::Style::resolveLocal(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 400 (StyleResolveTree.cpp:756)
47  com.apple.WebCore             	0x00000001192e342d WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 301 (StyleResolveTree.cpp:918)
48  com.apple.WebCore             	0x00000001192e32ea WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) + 474 (StyleResolveTree.cpp:996)
49  com.apple.WebCore             	0x0000000117b72996 WebCore::Document::recalcStyle(WebCore::Style::Change) + 470 (Document.cpp:1798)
50  com.apple.WebCore             	0x0000000117b6eadf WebCore::Document::updateStyleIfNeeded() + 431 (Document.cpp:1841)
51  com.apple.WebCore             	0x0000000117b7f472 WebCore::Document::finishedParsing() + 450 (Document.cpp:4613)
52  com.apple.WebCore             	0x0000000118027c68 WebCore::HTMLConstructionSite::finishedParsing() + 24 (HTMLConstructionSite.cpp:396)
53  com.apple.WebCore             	0x0000000118160e17 WebCore::HTMLTreeBuilder::finished() + 183 (HTMLTreeBuilder.cpp:3010)
54  com.apple.WebCore             	0x0000000118056dee WebCore::HTMLDocumentParser::end() + 190 (HTMLDocumentParser.cpp:440)
55  com.apple.WebCore             	0x0000000118054e53 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() + 275 (HTMLDocumentParser.cpp:451)
56  com.apple.WebCore             	0x0000000118054c60 WebCore::HTMLDocumentParser::prepareToStopParsing() + 288 (HTMLDocumentParser.cpp:166)
57  com.apple.WebCore             	0x0000000118056e43 WebCore::HTMLDocumentParser::attemptToEnd() + 67 (HTMLDocumentParser.cpp:463)
58  com.apple.WebCore             	0x0000000118056e98 WebCore::HTMLDocumentParser::finish() + 72 (HTMLDocumentParser.cpp:491)
59  com.apple.WebCore             	0x0000000117c0100a WebCore::DocumentWriter::end() + 346 (DocumentWriter.cpp:247)
60  com.apple.WebCore             	0x0000000117bc89d3 WebCore::DocumentLoader::finishedLoading(double) + 1587 (DocumentLoader.cpp:441)
61  com.apple.WebCore             	0x0000000117bc830e WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*) + 270 (DocumentLoader.cpp:375)
62  com.apple.WebCore             	0x0000000117803262 WebCore::CachedResource::checkNotify() + 130 (CachedResource.cpp:293)
63  com.apple.WebCore             	0x0000000117803374 WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) + 52 (CachedResource.cpp:310)
64  com.apple.WebCore             	0x00000001177fed1a WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 218 (CachedRawResource.cpp:105)
Comment 1 Alexey Proskuryakov 2014-12-14 18:02:25 PST 
The fix for bug 139294 was rolled out, so this problem doesn't occur any more. Keeping this open in case this needs to be addressed separately before the fix can be re-landed.
Comment 2 Radu Stavila 2014-12-18 03:57:05 PST 
The pre-existing issue that caused this problem has been fixed - https://bugs.webkit.org/show_bug.cgi?id=139644

*** This bug has been marked as a duplicate of bug 139644 ***